Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Frappe — Vulnerabilities & Security Advisories 70

Browse all 70 CVE security advisories affecting Frappe. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Frappe is an open-source web framework primarily utilized for building enterprise resource planning (ERP) applications, most notably through its flagship product, ERPNext. With seventy recorded Common Vulnerabilities and Exposures, the platform has faced significant scrutiny regarding its security posture. Historically, the most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection, often stemming from insufficient input validation or improper access controls within custom modules. Privilege escalation flaws have also been documented, allowing unauthorized users to gain elevated permissions. While the core framework itself receives regular updates, the extensive ecosystem of third-party apps introduces variability in security hygiene. Major incidents have largely involved misconfigurations or exploited bugs in specific integrations rather than fundamental architectural failures, highlighting the critical importance of rigorous patch management and secure coding practices for developers extending the Frappe platform.

Found 20 results / 70Clear Filters
Top products by Frappe: frappe lms press erpnext hrms frappe/lms Frappe CRM Frappe HelpDesk crm
CVE IDTitleCVSSSeverityPublished
CVE-2026-39415 Frappe Learning Management System has Client-Side Manipulation of Quiz Scores — lmsCWE-602 7.1AIHighAI2026-04-08
CVE-2026-34606 Stored XSS in Frappe LMS — lmsCWE-79 5.4AIMediumAI2026-04-02
CVE-2026-26977 Frappe Learning Management System exposes details of unpublished courses to unauthorized users — lmsCWE-862 4.3 -2026-02-20
CVE-2026-26031 Frappe LMS affected by unauthorised user was able to access the full list of batch enrolled students — lmsCWE-863 5.3AIMediumAI2026-02-11
CVE-2026-23497 Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages — lmsCWE-79 5.4AIMediumAI2026-01-14
CVE-2025-67734 Frappe Authenticated Users can Execute JavaScript through its Job Form — lmsCWE-79 5.4AIMediumAI2025-12-12
CVE-2025-67730 Frappe authenticated users can execute XSS through form description fields — lmsCWE-79 5.4AIMediumAI2025-12-12
CVE-2025-66581 Frappe LMS is Missing Server-Side Authorization in Business Logic — lmsCWE-863 8.8 -2025-12-05
CVE-2025-64707 Frappe LMS revoking access did not show immediate effect as roles were cached — lmsCWE-863 6.3 -2025-11-12
CVE-2025-64705 Frappe user was able to access the submission of other students — lmsCWE-200 4.6 -2025-11-12
CVE-2025-62779 Frappe Learning users were able to add HTML through input fields in the Job Form — lmsCWE-79 5.4AIMediumAI2025-10-27
CVE-2025-62778 Frappe Learning allowed students to access the Quiz Form via direct URL — lmsCWE-425 5.3AIMediumAI2025-10-27
CVE-2025-62158 Frappe had attachments made by students to their assignments of type Text set to public — lmsCWE-200 7.5AIHighAI2025-10-10
CVE-2025-11283 Frappe LMS Course cross site scripting — LMSCWE-79 2.4 Low2025-10-05
CVE-2025-11282 Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting — LMSCWE-79 2.4 Low2025-10-05
CVE-2025-11281 Frappe LMS Unpublished Course courses access control — LMSCWE-284 5.0 Medium2025-10-05
CVE-2025-11280 Frappe LMS Assignment Picture files direct request — LMSCWE-425 3.7 Low2025-10-05
CVE-2025-59415 Frappe Learning vulnerable to Malicious Content upload via Profile bio field — lmsCWE-79 4.6 Medium2025-09-17
CVE-2025-55006 Frappe Learning Holds Potential for Malicious SVG Upload in Image Upload Feature — lmsCWE-20 4.3 Medium2025-08-09
CVE-2023-42807 Frappe LMS SQL Injection Issue on People Page — lmsCWE-89 6.3 Medium2023-09-21

This page lists every published CVE security advisory associated with Frappe. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.